Shai-Hulud
Shai-Hulud is a credential-stealing, self-propagating software supply-chain worm/infostealer that spreads through open source package ecosystems, especially npm and also PyPI. It targets developer workstations, CI/CD runners, and software publishing workflows, harvesting secrets such as GitHub and npm tokens, cloud credentials, SSH keys, Docker credentials, GPG keys, Kubernetes and Vault material, GitHub Actions secrets, and .env contents. Multiple reports describe it as designed to compromise developers, steal credentials, and then use trusted software-supply-chain workflows to spread further by abusing stolen maintainer credentials, GitHub repository access, GitHub Actions identities, and npm Trusted Publishing/OIDC-based publishing flows.
Observed delivery and execution methods include npm preinstall hooks, obfuscated JavaScript loaders, and in newer waves abuse of binding.gyp/node-gyp execution during npm install to evade tools focused only on package.json lifecycle scripts. In Red Hat-related intrusions, attackers reportedly used a compromised GitHub developer account to push unauthorized commits, add malicious GitHub Actions workflows, obtain short-lived OIDC tokens, and publish trojanized package versions under the legitimate @redhat-cloud-services namespace. JFrog also analyzed a Shai-Hulud variant in 31 hijacked @redhat-cloud-services package versions that used a multi-stage loader, AES-128-GCM-encrypted payloads, Bun bootstrap/download logic, transient /tmp execution, and install-time execution via preinstall.
Core behavior repeatedly attributed to the family includes stealing local and cloud credentials, searching for GitHub and npm tokens, abusing GitHub Actions identities, propagating through npm packages and GitHub repositories, and installing persistence on developer machines. Reported propagation mechanisms include validating stolen credentials, enumerating accessible repositories and packages, injecting malicious code or workflow files into writable GitHub repositories, creating attacker-controlled or victim-account GitHub repositories for exfiltration, and publishing new malicious versions of legitimate packages using compromised maintainer access. Some variants also target IDE and developer-tool configuration associated with Claude Code, Cursor, Gemini, VS Code, Copilot, Codex, Kiro, and opencode.
The malware family has been linked in reporting to TeamPCP because TeamPCP publicly released/open-sourced Mini Shai-Hulud source code, after which multiple campaigns and derivatives appeared. Several sources state TeamPCP claimed responsibility for versions of Shai-Hulud, but attribution for later variants such as Miasma is not definitive because copycats may also be using the leaked code. Miasma is described as a newer Shai-Hulud variant/campaign affecting the npm ecosystem, including 281 malicious npm versions in one Sonatype-tracked wave and more than 30 compromised @redhat-cloud-services packages in another. Miasma is reported to add stronger obfuscation, staged payload delivery, persistence, enhanced cloud credential theft, unique encrypted payloads per infection, and GitHub-based adaptive payload delivery.
High-confidence indicators and campaign markers directly mentioned in the content include the strings "Miasma: The Spreading Blight" and "Miasma : The Spreading Blight," GitHub commits tagged with "firedalazer," attacker-created GitHub repositories described as "Miasma: The Spreading Blight," and the token-related string "IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner." OX Security reported a six-stage payload chain with 15 dropped payloads in one advanced Shai-Hulud/Miasma intrusion, including memory dump tools, token monitors, Claude API hooks, and a GitHub-based payload dropper. JFrog reported persistence artifacts such as kitty-monitor.service on Linux and com.user.kitty-monitor.plist on macOS, plus a gh-token-monitor dead-man-switch component in one analyzed variant.
Victims and targets mentioned in the content include developers broadly, especially enterprise infrastructure developers and open source maintainers, as well as organizations and ecosystems affected through compromised packages and repositories. Reported incidents and targets include npm packages associated with Bitwarden, SAP, TanStack, OpenAI, Mistral AI, Microsoft DurableTask, and Red Hat’s @redhat-cloud-services namespace. The malware is consistently characterized as a force multiplier for attackers seeking to sweep up credentials and continue compromising repositories and package registries through trusted development and CI/CD channels.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
359 GitHub repos created with encrypted stolen credentials — “Shai-Hulud: Here We Go Again.” CVE-2026-45321 published CVSS 9.6 critical. Mitre, CISA, and major registry operators issue coordinated advisories. | Shai-Hulud is, at this point, a very familiar name... The most recent one being the so-called Mini Shai-Hulud... they are back again... compromising the TanStack Router packages, and starting a brand new campaign based on Mini Shai-Hulud.
In the Shai-Hulud incident, the compromised packages (MAL-2025-46974 and CVE-2025-59144) were identified early, providing actionable findings that customers could remediate quickly.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
This behavior is conceptually similar to Shai Hulud, which had its code published on GitHub recently. Although JFrog researchers did not find a clear connection between IronWorm and Shai Hulud, they observed the same commit names in both supply-chain attacks.
Techniques & procedures
26 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
4 techniquesUse stolen maintainer credentials to create and publish malicious package artifacts.
If it has a usable GitHub token, it can create a public repository under the victim account ... The npm propagation path activates when the payload finds npm credentials with sufficient publish permissions.
The campaign, which JFrog has dubbed "IronWorm," targets developers through compromised npm publishing workflows and malicious package updates.
TeamPCP specializes in supply-chain attacks against open-source software... The group has claimed responsibility for a spate of supply-chain attacks targeting JavaScript and Python software repositories through wormable malware known as Shai-Hulud.
Execution
3 techniquesThe malicious behavior comes from abusing command execution inside the `binding.gyp` configuration. Instead of compiling a legitimate native extension, the configuration can execute a malicious JavaScript payload during the package installation process.
an npm install can lead to node, then curl and unzip, and then bun run executing a temporary file.
The delivery chain starts with a single large JavaScript file invoked by node during preinstall. | its package metadata includes a hidden install-time execution path: { "name" : "@redhat-cloud-services/types" , "version" : "3.6.1" , "scripts" : { "preinstall" : "node index.js" } }
Persistence
6 techniquesUse stolen maintainer credentials to create and publish malicious package artifacts.
If it has a usable GitHub token, it can create a public repository under the victim account ... The npm propagation path activates when the payload finds npm credentials with sufficient publish permissions.
on macOS, it can install com.user.kitty-monitor.plist ... ~/Library/LaunchAgents/com.user.kitty-monitor.plist ... ~/Library/LaunchAgents/com.user.gh-token-monitor.plist
On Linux, it can install a user-level kitty-monitor.service ... Stop and remove kitty-monitor persistence on Linux ... ~/.config/systemd/user/kitty-monitor.service
It can write a local payload copy under ~/.config/index.js and add session-start hooks ... It can also add VS Code folder-open tasks that execute a setup script when a repository is opened.
Privilege Escalation
5 techniquesUse stolen maintainer credentials to create and publish malicious package artifacts.
If it has a usable GitHub token, it can create a public repository under the victim account ... The npm propagation path activates when the payload finds npm credentials with sufficient publish permissions.
on macOS, it can install com.user.kitty-monitor.plist ... ~/Library/LaunchAgents/com.user.kitty-monitor.plist ... ~/Library/LaunchAgents/com.user.gh-token-monitor.plist
On Linux, it can install a user-level kitty-monitor.service ... Stop and remove kitty-monitor persistence on Linux ... ~/.config/systemd/user/kitty-monitor.service
Stealth
4 techniquesThe attack begins with an obfuscated index.js payload that proceeds through decryption and decoding stages and ultimately drops 15 distinct payloads...
Use stolen maintainer credentials to create and publish malicious package artifacts.
If it has a usable GitHub token, it can create a public repository under the victim account ... The npm propagation path activates when the payload finds npm credentials with sufficient publish permissions.
After this wrapper is removed, the next stage decrypts two AES-128-GCM blobs. One blob is a small Bun bootstrapper ... and the other is the main Shai-Hulud payload.
Defense Impairment
1 techniqueCredential Access
4 techniquesThe attack's malware, which its authors named Miasma, differed from the TeamPCP original only cosmetically ... while the underlying credential-stealing functionality remained intact.
The recent wave of supply chain attacks targeting packages, extensions, and CI pipelines, such as Shai-Hulud, Megalodon and Miasma, should be read less as isolated package integrity failures and more as credential-harvesting campaigns.
In GitHub Actions environments, it can use ACTIONS_ID_TOKEN_REQUEST_TOKEN and ACTIONS_ID_TOKEN_REQUEST_URL to request an OIDC token for npm:registry.npmjs.org, exchange it at the npm registry, and publish through the obtained identity.
The malware, written in Rust, harvests a wide range of developer secrets, including API keys, cloud credentials, SSH keys, and npm publishing tokens, and reuses them to spread further across the software supply chain.
Discovery
1 techniqueValidate stolen credentials and enumerate accessible repositories, services, and permission levels.
Lateral Movement
1 techniqueFurthermore, the autonomous worm weaponizes these stolen keys to facilitate rapid lateral movement across interconnected development pipelines.
Command and Control
6 techniquesGitHub actually works as a malicious C2 server, but not just for uploading stolen data, but storing the malicious code as well... This turns GitHub into something more dangerous than a dead drop. It’s an adaptive C2
Rather than merely hosting exfiltrated data, the threat actor stores malicious code in GitHub repositories and uses commits tagged with the string “firedalazer” as a dynamic payload delivery mechanism.
The payload also retains the GitHub dead-drop model seen in previous Shai-Hulud waves.
While conventional npm malware operates with one to three execution stages, Shai-Hulud deploys a six-stage payload delivery chain that loops back on itself in an endless execution cycle.
The attack begins with an obfuscated index.js payload that proceeds through decryption and decoding stages and ultimately drops 15 distinct payloads including memory dump tools, token monitors, Claude API hooks, and a GitHub-based payload dropper.
The threat actor can dynamically change the “firedalazer” commits in GitHub, making new versions of the malware, more adaptive and more sophisticated.
Exfiltration
2 techniquesCollect system, user, developer configuration, and CI/CD environment data. Search for GitHub access tokens, package registry authentication tokens, and cloud-related secrets.
The threat actor isn’t just uploading exfiltrated credentials to a GitHub repo — they’re storing the malicious code there, and using commits tagged with the “firedalazer” string as a live update mechanism.
IOCs tracked for this family
134 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
200 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malicious npm supply-chain malware that abuses install-time execution via binding.gyp/node-gyp during npm install to collect developer and CI/CD data, steal credentials and secrets, validate access, and self-propagate by publishing new malicious versions of legitimate packages using stolen maintainer credentials.
Referenced as a related npm worm lineage using a similar propagation model based on trusted automation identities and npm Trusted Publishing OIDC token exchange.
A malicious NPM worm designed to search for and exfiltrate NPM and GitHub tokens at scale as part of a supply-chain compromise scenario.
Named malware involved in npm supply-chain attacks, referenced here as behaviorally similar to IronWorm and potentially related through shared commit naming patterns.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.